b'Report No. DODIG-2013-060                 March 26, 2013\n\n\n\n\n   Improvements Needed With Tracking and Configuring\n           Army Commercial Mobile Devices\n\x0cAdditional Copies\nTo obtain additional copies of this report, visit the Department of Defense Inspector\nGeneral website at http://www.dodig.mil/pubs/index.cfm, or contact the Secondary\nReports Distribution Unit at auditnet@dodig.mil.\n\nSuggestions for Audits\nTo suggest or request audits, contact the Office of the Deputy Inspector General for\nAuditing at auditnet@dodig.mil or by mail:\n\n                      Department of Defense Office of Inspector General\n                      Office of the Deputy Inspector General for Auditing\n                      ATTN: Audit Suggestions/13F25-04\n                      4800 Mark Center Drive\n                      Alexandria, VA 22350-1500\n\n\n\n\nAcronyms and Abbreviations\nCIO                           Chief Information Officer\nCMD                           Commercial Mobile Device\nERDC                          Engineer Research and Development Center\nIA                            Information Assurance\nMDM                           Mobile Device Management\nMICA                          Mobile Information Collection Application\nPED                           Portable Electronic Device\nUSACE                         United States Army Corps of Engineers\nUSMA                          United States Military Academy\n\x0c                                 INSPECTOR GENERAL\n                                  DEPARTMENT OF DEFENSE\n                                  4800 MARK CENTER DRIVE\n                               ALEXANDRIA, VIRGINIA 22350-1500\n\n\n\n                                                                                   MAR 2 6 2013\n\n\nMEMORANDUM FOR ARMY CHIEF INFORMATION OFFICER\n                         AUDITOR GENERAL, DEPARTMENT OF THE ARMY\n\n\nSUBJECT: Improvements Needed With Tracking and Configuring Army Commercial\n             Mobile Devices (Report No. DODIG-2013-060)\n\n\nWe are providing this repott for review and comment. The Army did not implement an\neffective cybersecurity program for commercial mobiles devices. If devices remain\nunsecure, malicious activities could disrupt Army networks and compromise sensitive\nDoD information. We considered management comments on a draft of this report when\npreparing the final report.\n\n\nDoD Directive 7650.3 requires that all recommendations be resolved promptly. We\nreceived comments fi\xc2\xb7om the Director, Army Chief lnfotmation Officer Cybersecurity\nDirectorate on behalf of the Chief Information Officer, Department of the Army. The\nDirector\'s comments on Reconunendations 1 and2 were nonresponsive. Therefore, we\nrequest additional comments from the Chieflnformation Officer, Department of the\nArmy, on these recommendations by April25, 2013. We considered the Director\'s\ncomments on Recommendation 3 responsive.\n\n\nPlease provide comments that conform to the requirements of DoD Directive 7650.3. If\npossible, send a portable document file (.pdf) containing your comments to\naudros@dodig.mil. Copies of management comments must have the actual signature of\nthe authorizing official. We are unable to accept the /Signed/ symbol in place of the\nactual signature. If you arrange to send classified comments electronically, you must\nsend them over the SECRET Internet Protocol Router Network (SIPRNET).\n\n\nWe appreciate the courtesies extended to the staff. Please direct questions to me at\n(703) 604- 8866 (DSN 664-8866).\n\n\n\n\n                                            1;1             /\\/ (\n                                           L A..- ( ;.. t \'-....J lt().JYj(---\'\\\n                                                  .\n\n\n\n                                                      l              .\n                                                                     .\n\n\n\n                                             Alice F. Carey              {)\n                                             Assistant Inspector General\n                                             Readiness, Operations, and Support\n\x0c\x0cReport No. DODIG-2013-060 (Project No. D2012-D000LC-0147.000)                March 26, 2013\n\n\n              Results in Brief: Improvements Needed With\n              Tracking and Configuring Army Commercial\n              Mobile Devices\n                                                        \xe2\x80\xa2   require training and use agreements\nWhat We Did                                                 specific to CMDs. The CIOs at USMA\nOur objective was to determine whether the                  and USACE ERDC did not train CMD\nDepartment of the Army had an effective                     users and require users to sign user\ncybersecurity program that identified and                   agreements.\nmitigated risks surrounding commercial mobile          These actions occurred because the Army CIO\ndevices (CMDs) and removable media.                    did not develop clear and comprehensive policy\nSpecifically, at the sites visited, we verified        for CMDs purchased under pilot and non-pilot\nwhether Army officials appropriately tracked,          programs. In addition, the Army CIO\nconfigured, and sanitized CMDs. Additionally,          inappropriately concluded that CMDs were not\nwe determined whether the Army used                    connecting to Army networks and storing\nauthorized removable media on its network.             sensitive information. As a result, critical\n                                                       information assurance controls were not\n                                                       appropriately applied, which left the Army\nWhat We Found                                          networks more vulnerable to cybersecurity\nThe Army Chief Information Officer (CIO) did           attacks and leakage of sensitive data.\nnot implement an effective cybersecurity\nprogram for CMDs. Specifically, the Army CIO           What We Recommend\ndid not appropriately track CMDs and was\nunaware of more than 14,000 CMDs used                  The Army CIO should develop clear and\nthroughout the Army. Additionally, at the sites        comprehensive policy to include requirements\nvisited, the Army CIO did not:                         for reporting and tracking all CMDs. In\n                                                       addition, the Army CIO should extend existing\n \xe2\x80\xa2 ensure that Commands configured CMDs\n                                                       information assurance requirements to the use of\n      to protect stored information. The CIOs\n                                                       all CMDs.\n      at United States Military Academy\n      (USMA) and United States Army Corps\n      of Engineers (USACE) Engineer Research           Management Comments and\n      and Development Center (ERDC) did not            Our Response\n      use a mobile device management                   The Director, Army CIO Cybersecurity\n      application to configure all CMDs to             Directorate provided comments on behalf of the\n      protect stored information.                      Army CIO, and agreed with the report\n \xe2\x80\xa2 require CMDs to be properly sanitized.              recommendations, but the comments on\n      CIOs at USMA and USACE ERDC did                  Recommendations 1 and 2 were nonresponsive.\n      not have the capability to remotely wipe         We request comments in response to the final\n      data stored on CMDs that were transferred,       report by April 25, 2013. Please see the\n      lost, stolen, or damaged.                        recommendations table on the back of this page.\n \xe2\x80\xa2 control CMDs used as removable media.\n      The CIOs at USMA and USACE ERDC\n      allowed users to store sensitive data on\n      CMDs that acted as removable media.\n\n\n                                                   i\n\x0cReport No. DODIG-2013-060 (Project No. D2012-D000LC-0147.000)     March 26, 2013\n\nRecommendations Table\n\n        Management               Recommendations        No Additional Comments\n                               Requiring Comment              Required\nChief Information Officer,    1, 2                  3\nDepartment of the Army\n\nPlease provide comments by April 25, 2013.\n\n\n\n\n                                             ii\n\x0cTable of Contents\nIntroduction                                                   1\n\n      Objectives                                               1\n      Adopting New Technologies                                1\n      Army Chief Information Officer Responsibilities          2\n      CMDs Used by Army Activities Visited                     2\n      Review of Internal Controls                              4\n\nFinding. Cybersecurity Program for CMDs Needs Improvement      5\n\n      Guidance on the Use of CMDs                              5\n      CMD Tracking Needs Improvement                           5\n      CMDs Not Consistently Configured                         6\n      Sanitization Requirements Did Not Exist                  7\n      Controls Lacking for CMDs Used as Removable Media        7\n      CMD-Specific Training and User Agreements                8\n      Comprehensive Policy Specific to CMDs Needed             8\n      Army and Command CIOs Recognized Need for Change         9\n      Conclusion                                               9\n      Recommendations, Management Comments, and Our Response   9\n\nAppendix\n\n      Scope and Methodology                                    12\n      Use of Computer-Processed Data                           13\n      Use of Technical Assistance                              13\n      Prior Coverage                                           13\n\nManagement Comments\n\n      Army Chief Information Officer                           14\n\x0c\x0cIntroduction\nObjectives\nOur objective was to determine whether the Department of the Army had an effective\ncybersecurity program that identified and mitigated risks surrounding portable electronic\ndevices (PEDs) and removable media. Specifically, at the sites visited, we verified\nwhether Army officials appropriately tracked, configured, and sanitized PEDs.\nAdditionally, we determined whether the Army used authorized removable media on its\nnetwork. For a discussion on scope and methodology, see the Appendix.\n\nConsidering the broad definition of PEDs 1, we limited our review to commercial mobile\ndevices (CMDs) running on the Apple iOS, Android, and Windows mobile operating\nsystems. In addition, we excluded BlackBerry devices because the DoD OIG issued a\nreport on September 25, 2009, \xe2\x80\x9cControls Over Information Contained in BlackBerry\nDevices Used Within DoD\xe2\x80\x9d (DoD IG Report No. D-2009-111). Furthermore, our review\nfocused on the use of CMDs as removable media and the removable media within the\nCMDs.\n\nAdopting New Technologies\nWith the rapid changes in information technology, the Army decided to adopt newer\ntechnologies, starting with incorporating CMDs into daily activities. As the Army\nadopted this newer technology, it began testing CMDs in the field and in administrative\noffices. In 2009, the Army Vice Chief of Staff directed the Army Chief Information\nOfficer (CIO) to begin procuring inexpensive systems such as Apple iPhone and Google\nAndroid CMDs instead of the traditional procurement of dedicated software and\nhardware. DoD explored options to procure devices, such as Apple and Android\nproducts.\n\nDoD Mobile Device Strategy\nIn June 2012, the DoD CIO released the DoD Mobile Device Strategy to identify the\nvision and goals for using the full potential of mobile devices. The strategy focused on\nthe following areas of improvement critical to mobility.\n    \xe2\x80\xa2 wireless infrastructure to support the secure access and sharing of information via\n        voice, video, or data by mobile devices;\n    \xe2\x80\xa2 policies, processes, and standards to support secure mobile device usage, device-\n        to-device interoperability, and consistent device lifecycle management;\n    \xe2\x80\xa2 processes and tools to enable consistent development, testing, and distribution of\n        DoD-approved mobile applications for faster deployment to the user; and\n\n\n1\n  Army Regulation 25-2 defines a PED as a portable device with or without the capability of wireless or\nlocal area network connectivity. PEDs include cell phones, tablets, pagers, personal digital assistants,\nlaptops, memory sticks, thumb drives, and two-way radios. In addition, the Army CIO further states CMDs\nare tablets and smartphones that have a unique combination of computing power, mobile applications, and\naccess to network data, which sets CMDs apart from other PEDs.\n\n                                                   1\n\x0c   \xe2\x80\xa2   policies, processes, and mechanisms for appropriately Web-enabling critical DoD\n       information technology systems and functions for mobile devices.\n\nArmy Chief Information Officer Responsibilities\nThe Army CIO is responsible for supervising Army information technology functions\nand advising the Chief of Staff of the Army on network, communications, and signal\noperations. In addition, the Army CIO manages the Army cybersecurity program, which\nincludes analyzing and improving business processes, and managing information\nresources, acquisitions, and training. According to Army Regulation 25-1, \xe2\x80\x9cArmy\nKnowledge Management and Information Technology,\xe2\x80\x9d December 4, 2008, the Army\nCIO must provide oversight of the Army information assurance program. In 2010, the\nArmy CIO released guidance for the Army on piloting and integrating new mobile device\ntechnologies, requiring any Army command or organization to identify the mobile device\nactivities to the Army CIO. In 2011, the Army CIO issued additional guidance requiring\nall Army pilots using CMDs to obtain pilot authorization so that the Army CIO could\ntrack and share lessons learned and prevent duplication of effort.\n\nRisks of CMDs\nBoth the DoD CIO and the Army CIO recognized the risk of emerging CMD\ntechnologies on DoD information. Applications installed on devices may contain\nmalware or spyware, or may perform unexpected functions such as tracking user actions\nor sending private information to outsiders. Additionally, hackers can access features on\ndevices such as the Bluetooth or Wi-Fi radios connected to devices without the user\xe2\x80\x99s\nknowledge. Most CMDs, as purchased, do not come equipped with the security controls\nand other necessary security features required by DoD, presenting an undue risk to the\nenterprise.\n\nCMDs Used by Army Activities Visited\nWe conducted a datacall requesting a list of all smartphones (excluding BlackBerry\ndevices) and tablets that the Army procured from October 1, 2010, through\nMay 31, 2012. We received a list of more than 14,000 CMDs used throughout the Army.\nAs a result of the responses, we visited two sites to verify whether the CMDs in use were\nappropriately tracked, configured, and sanitized, and followed policy for using CMDs as\nremovable media. Specifically, we visited the United States Military Academy (USMA)\nat West Point, New York, and the United States Army Corps of Engineers (USACE),\nEngineer Research and Development Center (ERDC) at Vicksburg, Mississippi. USMA\nreported 276 CMDs, and USACE ERDC reported 276 CMDs, totaling 552 CMDs.\nUSACE ERDC reported an additional 290 CMDs during the site visit, which increased\nthe number of devices at the two locations to 842. The number of CMDs listed in the\ntable represents the number that each site reported to the DoD Office of Inspector\nGeneral (OIG) and does not reflect the total number of devices each site actually used.\nThe following table shows how each location used the devices, the total number reported,\nand total estimated cost of those devices.\n\n\n\n                                            2\n\x0c                Table. CMDs Reported by USMA and USACE ERDC\n\n                                                                              Total\n         Site             Device Usage       Number of Devices\n                                                                         Estimated Cost\n USMA                   Research Devices              276                   $242,444*\n                          Pilot Devices               276                    122,400\n USACE ERDC                 Non-Pilot                 290                    120,950\n                             Devices\n    Total                                         842                    $485,794\n* This represents cost for 266 devices. USMA was unable to provide cost for 10 devices.\n\nThe following outlines the number of devices tested at each site location. At USMA, we\nselected 72 CMDs to test; however, we tested only 48 CMDs because 24 of the 72 CMDs\nwere in the possession of faculty members and cadets who were not on site. In addition,\nwe selected 71 devices at USACE ERDC. During the site visit, the Program Manager\ninformed the team that USACE ERDC had an additional 290 non-pilot devices, which\nincreased the number of devices to 566 CMDs. As a result, we selected an additional 72\nCMDs to test, for a total of 143 CMDs at USACE ERDC. However, we tested only 133\nCMDs (62 non-pilot general research CMDs and 71 pilot CMDs) because 10 CMDs were\nin the possession of personnel who were unavailable.\n\nCMDs Used by United States Military Academy\nUSMA trains cadets to become officers in the United States Army. USMA originally\nacquired CMDs for use in a pilot program to assess the usability of the devices in support\nof the academic program. The assessment provided USMA an opportunity to discover\nwhat enhancements are possible for using CMDs to educate cadets. USMA also procured\nCMDs for other research purposes, such as a military history e-book, that leverages the\ncapabilities of mobile devices. Cadets and faculty also examined mobile device security\nand application development using CMDs.\n\nCMDs Used by United States Army Corps of Engineers, Engineer\nResearch and Development Center\nUSACE ERDC acquired CMDs for both pilot and non-pilot programs. USACE ERDC\nhas two pilot programs: Mobile Information Collection Application (MICA) and Blue\nRoof. In addition, USACE ERDC labs use CMDs for general research.\n\nUSACE ERDC Mobile Information Collection Application Pilot\nProgram\nThe MICA pilot program uses CMDs to replace the manual field data collection process\nduring a natural disaster. Using the device\xe2\x80\x99s built-in capabilities, personnel could take a\npicture, automatically capture the latitude and longitude, add notes, and instantly upload\nthe data to the server for analysis if Internet access were available. In areas with no\n\n\n\n\n                                             3\n\x0caccess available, the device stores the data until the individual returns to a location with\naccess. These capabilities allow decision makers to have immediate feedback on flood\nconditions.\n\nUSACE Blue Roof Pilot Program\nWorking under the authority of the Federal Emergency Management Agency, USACE\ncontractors can prevent additional damage to homes after a hurricane or other disaster by\ninstalling blue plastic sheeting as part of the Operation Blue Roof program. CMDs\nreplace paper forms by capturing the information digitally in the beginning.\nHomeowners use the CMD to request assistance and to provide the authorization for\nUSACE personnel to enter the property, but the system automatically disqualifies\nhomeowners who live outside an affected area and assigns an inspector for homes that\nqualify. Inspectors use the CMD to enter photos and notes, as well as the quantity of\nmaterials needed to repair the home.\n\nGeneral Research Programs\nUSACE ERDC also uses CMDs as part of general research programs. Research projects\nat USACE ERDC varied from application development to e-readers for scholarly\njournals. Additionally, USACE ERDC employees used these devices for personal use.\n\nReview of Internal Controls\nDoD Instruction 5010.40, \xe2\x80\x9cManagers\xe2\x80\x99 Internal Control Program (MICP) Procedures,\xe2\x80\x9d\nJuly 29, 2010, requires DoD organizations to implement a comprehensive system of\ninternal controls that provides reasonable assurance that programs are operating as\nintended and to evaluate the effectiveness of the controls. We identified internal control\nweaknesses for Army. The Army CIO did not implement an effective cybersecurity\nprogram for CMDs because they did not develop clear and comprehensive policy related\nto all CMDs. In addition, the Army CIO inappropriately concluded that CMDs were not\nconnecting to Army networks and storing sensitive information; and, therefore, did not\nextend current IA requirements to the use of CMDs. We will provide a copy of the\nreport to the senior official responsible for internal controls in the Department of the\nArmy.\n\n\n\n\n                                              4\n\x0cFinding. Cybersecurity Program for CMDs\nNeeds Improvement\nThe Army CIO did not implement an effective cybersecurity program applicable to\nCMDs. Specifically, the Army CIO did not appropriately track more than 14,000 CMDs\npurchased as part of pilot and non-pilot programs 2. In addition, at the two sites visited,\nthe Army CIO did not:\n    \xe2\x80\xa2 ensure that Commands configured CMDs adequately to secure data stored on the\n       device,\n    \xe2\x80\xa2 require all CMDs to be sanitized before transfer or loss,\n    \xe2\x80\xa2 control CMDs used as removable media, and\n    \xe2\x80\xa2 require training and user agreements specific to CMDs.\nThis occurred because the Army CIO did not develop clear and comprehensive policy for\nCMDs purchased under pilot and non-pilot programs. In addition, the Army CIO\ninappropriately concluded that CMDs were not connecting to Army networks and storing\nsensitive information; and, therefore, did not extend current IA requirements to the use of\nCMDs. Without an effective cybersecurity program specific to CMDs, critical IA\ncontrols necessary to safeguard the devices were not applied, and the Army increased its\nrisk of cybersecurity attacks and leakage of sensitive data.\n\nGuidance on the Use of CMDs\nDoD CIO Memorandum, \xe2\x80\x9cUse of Commercial Mobile Devices in the Department of\nDefense,\xe2\x80\x9d April 6, 2011, provides security objectives for CMDs that outline current\nchallenges and potential mitigation activities. The memorandum requires Component\nCIOs to review security requirements for using CMDs and to implement controls to\naddress the following:\n   \xe2\x80\xa2 using an enterprise management system to manage and control CMDs,\n   \xe2\x80\xa2 encrypting and sanitizing sensitive DoD information stored on CMDs,\n   \xe2\x80\xa2 granting access to CMDs through DoD identification and authentication\n       requirements,\n   \xe2\x80\xa2 using private key infrastructure credentials to send and receive e-mail messages,\n   \xe2\x80\xa2 installing designated approving authority-approved software and applications,\n       and\n   \xe2\x80\xa2 training users on CMDs.\n\nCMD Tracking Needs Improvement\nThe Army CIO did not appropriately track CMDs purchased as part of pilot and non-pilot\nprograms. According to the Army CIO memorandum, \xe2\x80\x9cU.S. Army Guidance on Piloting\nCommercial Mobile Devices,\xe2\x80\x9d November 3, 2011, Commands are required to obtain\nauthorization from the Army CIO for all pilots using CMDs. However, Commands used\n\n\n2\n    Pilot CMDs are devices that test the feasibility of incorporating the use of CMDs into daily activities.\n\n                                                         5\n\x0c                                                              Commands used more\nmore than 14,000 CMDs without obtaining appropriate            than 14,000 CMDs\nauthorization from the Army CIO. For example, the CIO at        without obtaining\nUSACE ERDC did not obtain authorization from the Army              appropriate\nCIO for CMDs purchased as part of its pilot and non-pilot    authorization from the\nCMD programs. As a result, the Army CIO was unaware of             Army CIO.\n566 CMDs used by USACE ERDC. Furthermore, USMA\ndid not obtain authorization for all CMDs purchased.\nSpecifically, the Army CIO was aware of only 180 of 276 CMDs actually in use at\nUSMA.\nIn addition to not obtaining the Army CIO authorization, CIOs at USMA and USACE\nERDC did not obtain an interim authority to test. According to the DoD Information\nAssurance Certification and Accreditation Process, organizations must obtain an interim\nauthority to test when live data are required to complete a specific test objective.\nHowever, CIOs at the two sites visited used live data, such as sensitive legal information\nat USMA and corporate e-mails at USACE ERDC, without obtaining an interim authority\nto test.\nFurthermore, CIOs at USMA and USACE ERDC did not maintain an accurate\naccounting of CMDs. Specifically, they retained on their property books for CMDs that\nwere lost, stolen, and damaged. Army Regulation 735-5, \xe2\x80\x9cPolicies and Procedures for\nProperty Accountability,\xe2\x80\x9d states Commands should initiate a financial liability\ninvestigation of property loss when they identify lost, damaged, or destroyed property.\nThe two sites visited did not always complete the financial liability investigation of\nproperty loss and report the devices to the Army CIO. For example, one MICA\nprogrammer at USACE ERDC damaged an iPhone and did not report the damage.\nInstead, the user replaced the device using personal funds and discarded the Government-\nissued device without the consent and knowledge of the Program Manager.\n\nCMDs Not Consistently Configured\nThe Army CIO did not ensure that Army                       15 of 48 CMDs did not\nCommands and Components configured CMDs to                  require a password to\nadequately secure data stored on the device. DoD              access the device.\nDirective 8500.01E, \xe2\x80\x9cInformation Assurance,\xe2\x80\x9d\nApril 23, 2007, states that all IA and IA-enabled information technology products\nincorporated into DoD information systems will be configured in accordance with DoD\napproved security configuration guidelines and require a properly administered and\nprotected password. Furthermore, according to the DoD CIO Memorandum, \xe2\x80\x9cUse of\nCommercial Mobile Devices in the Department of Defense,\xe2\x80\x9d April 06, 2011, devices\nreceiving or processing DoD information are considered part of a DoD information\nsystem and must be managed and controlled by an enterprise management system such as\na mobile device management (MDM) application. MDM applications allow\nadministrators to push security policies to manage devices and modify device\nconfiguration. However, at the two sites visited, CIOs at USMA and USACE ERDC did\nnot use an MDM application to configure all CMDs. For example, the USMA CIO did\nnot use an MDM application to configure 48 of 48 CMDs to require passwords. Instead,\n\n\n                                            6\n\x0cUSMA officials relied on individual users to create passwords to unlock CMDs. As a\nresult, 15 of 48 CMDs did not require a password to access the device.\n\nIn addition, the CIO at USACE ERDC did not use an MDM application to configure 62\nof 62 non-pilot general research CMDs. USACE ERDC relied on individual users to\nconfigure non-pilot general research CMDs to require password for unlocking devices.\nAs a result, users inconsistently configured passwords. Of the 62 non-pilot general\nresearch devices, 12 devices did not require a password to access the device. In addition,\nthe Program Manager at USACE ERDC did not appropriately configure 71 of the 71 pilot\nCMDs managed by the AirWatch 3 MDM application. Although USACE ERDC used an\nMDM application for Blue Roof and MICA devices, it did not configure the MDM\napplication to appropriately secure CMDs. As a result, passwords for Blue Roof and\nMICA pilot devices did not meet password complexity requirements.\n\nSanitization Requirements Did Not Exist\nThe Army CIO did not require all CMDs to be sanitized before transfer or after a device\nwas lost, stolen, or damaged. The DoD CIO Memorandum, \xe2\x80\x9cUse of Commercial Mobile\nDevices in the Department of Defense,\xe2\x80\x9d April 6, 2011, states that the system\nadministrator will have the capability to transmit a remove data wipe command to the\nCMD. However, CIOs at USMA and USACE ERDC did not have the capability to\nremotely wipe all transferred, lost, stolen, or damaged CMDs. For example, the USMA\nCenter for Faculty Excellence relied on users to reset the device to factory setting (a\nmethod of sanitization) before transferring to another user. As a result, 2 out of 48 CMDs\nstill contained information from the previous user. Although USACE ERDC had the\ncapability to remotely wipe CMDs used in the Blue Roof and MICA pilot programs using\nan MDM application, the CIO at USACE ERDC did not use an MDM application on the\nnon-pilot general research CMDs. As a result, USACE ERDC could not wipe two\ndevices stolen from a USACE ERDC employee\xe2\x80\x99s home.\n\nControls Lacking for CMDs Used as Removable Media\nThe Army CIO did not control CMDs used as              Cadets at USMA used CMDs as removable\nremovable media. The Army CIO Information               media to transfer and store sensitive case\nAssurance Best Business Practice, \xe2\x80\x9cControl of           files and evidence related to Cadet Honor\nRemovable Media,\xe2\x80\x9d February 29, 2012, requires                      Committee hearings.\nCommands to strictly control removable media\nused to transfer personally identifiable information or public health information. CIOs at\nUSMA and USACE ERDC did not adequately protect sensitive data stored on CMDs\nused as removable media. For example, cadets at USMA used CMDs as removable\nmedia to transfer and store sensitive case files and evidence related to Cadet Honor\n\n\n\n\n3\n AirWatch allows administrators to establish baseline configurations to authenticate users, set security\npolicies, protect personal and corporate data through encryption, prevent unauthorized device use, and\nperform monitoring and management functions.\n\n                                                     7\n\x0cCommittee 4 hearings. Cadet investigators also used these CMDs as personal devices.\nThe USMA CIO stated he was unaware that the devices were being used in this capacity.\nAs a result, USMA did not implement the proper security controls to protect the sensitive\ninvestigative data stored on the devices. In addition, one user at USACE ERDC used a\nnon-pilot CMD as removable media to transfer research documents and personally\nidentifiable information from a networked computer.\n\nCMD-Specific Training and User Agreements\nThe Army CIO did not require training and user agreements specific to CMDs. DoD\nDirective 8500.01E, \xe2\x80\x9cInformation Assurance,\xe2\x80\x9d April 23, 2007, requires the Army CIO to\nadequately train all personnel before authorizing access to DoD information systems.\nAdditionally, the Defense Information Systems Agency, Smartphone Policy Security\nTechnical Implementation Guide, Version 1, Release 6, November 23, 2011, provides a\nlist of topics that users must receive training on before they are issued a CMD.\nFurthermore, the General Wireless Policy Security Technical Implementation Guide,\nVersion 1, Release 7, November 23, 2011, requires users to sign a user agreement.\n\nThe CIO at USACE ERDC did not train CMD users outside of the Blue Roof and MICA\npilot programs. Additionally, the CIO at USACE ERDC did not require pilot and non-\npilot CMD users to sign a user agreement. Furthermore, the CIO at USMA did not have\nan IA training program specific to CMDs nor did they require users to sign a user\nagreement. For example, one user at USMA was unaware how to set up a password on\nthe CMD. As a result, the user did not protect the device with a password.\n\nComprehensive Policy Specific to CMDs Needed\nThe Army CIO did not develop clear and comprehensive policy for CMDs purchased\nunder pilot and non-pilot programs. Although the Army intended the current guidance to\napply to all CMDs, the Army CIO specified requirements only for pilot programs and did\nnot define what constitutes a CMD pilot program. The lack of clear and comprehensive\nguidance contributed to Army Commands not reporting and configuring CMDs to protect\nArmy networks and data. As a result, risk increased that Army networks may become\nvulnerable to cybersecurity attacks and leakage of sensitive data. The Army CIO should\ndevelop clear and comprehensive policy to include requirements for reporting and\ntracking all CMDs purchased.\n\nIn addition, the Army CIO inappropriately concluded that CMDs were not connecting to\nArmy networks and storing sensitive information. As a result, the Army CIO did not\nextend current IA requirements to the use of CMDs. The current Army CIO guidance for\nCMDs did not outline IA requirements for configuring and sanitizing CMDs, using\nCMDs as removable media, and completing training and user agreements. If the Army\nCIO does not extend current IA requirements to CMDs, risk increases that CMDs will be\nused to obtain unauthorized access to sensitive Army data. Therefore, the Army CIO\n\n\n4\n The Cadet Honor Committee is a cadet-run group that investigates violations to the USMA honor code,\nsuch as cheating, lying, and stealing, and recommends potential punishment to the USMA Superintendent.\n\n                                                   8\n\x0cshould designate CMDs as information systems, extend existing IA requirements to the\nuse of all CMDs, and develop a process to verify that users of CMDs are following Army\nand DoD IA policies.\n\nArmy and Command CIOs Recognized Need for Change\nAs a result of our inquiries into the number of devices, the Army CIO stated that more\nCommands were reporting CMDs. The Army CIO indicated that accountability and\ntracking of CMDs has improved. In addition, On July 10, 2012, the CIO at USMA\nimmediately directed the head of the Cadet Honor Committee to no longer allow cadet\ninvestigators to use CMDs as removable media to store sensitive data until USMA could\nconfigure the CMDs appropriately to protect case file information.\n\nFurthermore, on August 28, 2012, the CIO at USACE ERDC issued an immediate\nmoratorium on the acquisition of new CMDs. The moratorium stated that until USACE\nERDC developed guidance and corrective action plan, personnel could not use\nGovernment funds to purchase CMDs. USACE ERDC recognized the need to use all\naspects of AirWatch to manage and configure all CMDs. The CIO at USACE ERDC\nalso began purchasing additional AirWatch licenses to ensure that all CMDs were\nappropriately managed and configured.\n\nConclusion\nThe Army CIO did not implement an effective cybersecurity program applicable to\nCMDs. Specifically, the Army CIO did not appropriately track more than 14,000 CMDs\npurchased as part of pilot and non-pilot programs. In addition, at the two sites visited, the\nArmy CIO did not:\n   \xe2\x80\xa2 ensure that Commands configured CMDs adequately to secure data stored on the\n       device,\n   \xe2\x80\xa2 require all CMDs to be sanitized before transfer or loss, and\n   \xe2\x80\xa2 control CMDs used as removable media.\nWithout an effective cybersecurity program specific to CMDs, critical IA controls\nnecessary to safeguard devices were not applied. As a result, the Army increased its risk\nof cybersecurity attacks and leakage of sensitive data.\n\nRecommendations, Management Comments, and Our\nResponse\nWe recommend that the Chief Information Officer, Department of the Army:\n\n1. develop clear and comprehensive policy to include requirements for reporting\nand tracking all commercial mobile devices purchased under pilot and non-pilot\nprograms.\n\nArmy Chief Information Officer Comments\nThe Director, Army CIO Cybersecurity Directorate, responding for the Army CIO\nagreed, stating the Army CIO Cybersecurity Directorate maintained a SharePoint Portal\n\n                                             9\n\x0cand directed all Army organizations entering into a pilot to register and provide project\ndocumentation. Additionally, an Army Senior Leader with authority to accept risk for\nthe designated organization must declare that guidance and policy is in place that aligns\nwith the DoD Commercial Mobile Devices Implementation Plan. The Director also\nstated that the Army can access the Defense Information Systems Agency CONUS\nproperty management system, which accounts for every CMD assigned to the Army and\nthat the system is used in the ongoing Defense Information Systems Agency Mobile\nPilot. Furthermore, the Director stated that the Army Mobile Assurance Program\nManagers received and discussed this information during the Army Mobile Electronic\nDevice Working Group meetings. The Director indicated that the Army CIO published\nguidance in November 2011 that directed Army organizations to register each pilot and\ndocument senior approval.\n\nOur Response\nWe considered the comments from the Director to be nonresponsive. We found that\nArmy Commands used more than 14,000 CMDs without receiving appropriate\nauthorizations from the Army CIO. Of those devices, we identified 566 CMDs used by\nUSACE ERDC and 96 CMDs at USMA that were not registered. Therefore, the\nSharePoint Portal would not be useful in accounting for the Army Commands using\nunregistered CMDs and devices that are not part of a pilot program. In addition, the\ncurrent guidance published by the Army CIO inconsistently addressed CMDs registered\nin pilot programs only. The policy did not define what constitutes a pilot program, which\nresulted in the Army Commands not reporting and configuring CMDs appropriately. We\nrequest the Army CIO to provide comments to the final report.\n\n2. designate commercial mobile devices as information systems and extend existing\ninformation assurance requirements to the use of commercial mobile devices.\n\nArmy Chief Information Officer Comments\nThe Director agreed with the recommendation, stating that users loosely apply\ndesignating CMDs as an information system. The Director also stated CMDs is\nconsidered an extension of that environment and did not require a separate designation\nand provides an interface into an existing system or environment. The Director stated\nthat the Army, along with DoD and the Defense Information Systems Agency, are\nworking to establish the ability to manage mobile devices utilizing an MDM system\nalong with a Mobile Application Store. The Director stated that, in the end, DoD would\nbe able to observe every managed mobile device and every application operating on these\ndevices. According to the Director, the DoD memorandum on DoD Commercial Mobile\nImplementation Plan, dated February 2013, addresses this capability.\n\nOur Response\nWe considered the comments from the Director to be nonresponsive. Without specific\nrequirements to designate CMDs as information systems, users of CMDs would not apply\nthe appropriate information assurance controls to protect the devices and the data\ncontained on the devices. In addition, without a clear timeline on managing CMDs, there\n\n\n                                            10\n\x0cis an increased risk that Army networks could be vulnerable to data leakage. We request\nthat the Army CIO provide comments to the final report.\n\n3. develop a process to verify that users of commercial mobile devices are following\nArmy and DoD information assurance policies and implementing the appropriate\nsecurity controls to protect commercial mobile devices.\n\nArmy Chief Information Officer Comments\nThe Director agreed and stated that as the Defense Information Systems Agency and\nArmy established the MDM and Mobile Application Store architectures that would make\nall CMDs managed mobile devices, which would result in the DoD and Army Service\nProvider having the ability to observe every DoD-managed CMD and the applications\noperating on the CMD. In addition, the Director stated that the Army would gain the\nability to wipe or remove a device from the environment as well as monitor applications\nused, web sites visited, and data viewed, saved, or modified on the mobile devices.\nAccording to the Director, the Army issued a request for proposal for the MDM and\nMobile Application Store and projected the determination of the award would be April\n2013,initial operating capability expected by October 2013, and full operating capability\nbeing available before the end of FY 2014.\n\nOur Response\nThe Director\xe2\x80\x99s comments were responsive. Therefore, no further comments are required.\n\n\n\n\n                                           11\n\x0cAppendix. Scope and Methodology\nWe conducted this performance audit, from April 2012, through February 2013, in\naccordance with generally accepted government auditing standards. Those standards\nrequire that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objectives.\nWe believe that the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\nWe determined whether the Department of the Army had an effective cybersecurity\nprogram that identified and mitigated risks surrounding portable electronic devices and\nremovable media. We limited our review to tablets and smartphones running on Apple\niOS, Android, and Windows, mobile operating systems. We interviewed personnel in the\nArmy CIO\xe2\x80\x99s office, DoD CIO\xe2\x80\x99s office, and the CIOs and users at USMA and USACE\nERDC. In addition, we requested a list of in-scope CMDs used throughout the Army\nfrom October 1, 2010, through May 31, 2012. The Army CIO was unable to provide a\ncomplete list and provided only a list of Commands that had registered CMD pilot\nprograms. As a result, we conducted a datacall from June 1, 2012, through July 27, 2012,\nrequesting a list of all smartphones (excluding BlackBerry devices) and tablets procured.\nWe received responses from the 3 major Commands, 6 of the 9 Service Component\nCommands, 9 of the 10 Direct Report Units, the Army Accessions Command, Army\nCyber Command, and Eighth U.S. Army, totaling more than 14,000 devices. We\nselected USMA and USACE ERDC because these locations reported the highest number\nof CMDs.\n\nWe performed testing at USMA, West Point, New York, and USACE ERDC, Vicksburg,\nMississippi, from July 2012 through August 2012. The DoD OIG statistician from the\nQuantitative Methods Division computed sample sizes using a 95 percent confidence\nlevel and a 10 percent precision rate. At USMA, we selected a statistical sample of 72\nout of 276 CMDs. However, we were able to test only 48 CMDs because of device\navailability. At USACE ERDC, we selected a statistical sample of 71 out of 276 pilot\nCMDs and a statistical sample of 72 out of 290 general research CMDs. However, we\nwere able to test only 71 pilot devices and 62 general research devices because of device\navailability. We were unable to project across the universe because of the incomplete\nuniverse and Commands lack of accountability.\n\nWe evaluated device security controls by reviewing inventory records, site policies, and\nprocedures, and interviewing CMD users and other relevant personnel. In addition, we\nexamined and tested CMD settings, such as password, operating system version,\nBluetooth, and Wi-Fi to determine whether CMDs were configured or could be\nmanipulated by users. We also reviewed MDM application security settings to determine\nwhether CMDs were properly configured, when available. Specifically, the audit team\nobtained screenshots of the MDM application settings to determine whether devices had\nappropriate security settings.\n\n\n\n\n                                           12\n\x0cUse of Computer-Processed Data\nWe did not use computer-processed data to perform this audit.\n\nUse of Technical Assistance\nThe DoD OIG\xe2\x80\x99s Quantitative Methods Division assisted with the audit by generating a\nsample of devices to test for each location using a 95 percent confidence level and a 10\npercent precision rate. We obtained assistance from information assurance officers with\nthe DoD OIG\xe2\x80\x99s Information Systems Directorate to create the testing steps. The\ninformation assurance officers reviewed the audit team\xe2\x80\x99s testing steps to ensure that the\nsteps accurately tested relevant criteria.\n\nPrior Coverage\nDuring the last 5 years, the DoD Inspector General (DoD IG) has issued one report and\nthe Army Audit Agency has issued one memorandum report related to Army CMDs.\nUnrestricted DoD IG reports can be accessed at http://www.dodig.mil/pubs/index.cfm.\nUnrestricted Army reports can be accessed from .mil and gao.gov domains over the\nInternet at https://www.aaa.army.mil/.\n\nDoD IG\nDoD IG Report No. D-2009-111, \xe2\x80\x9cControls Over Information Contained in BlackBerry\nDevices Used Within DoD,\xe2\x80\x9d September 25, 2009\n\nArmy Audit Agency\nArmy Audit Agency Memorandum Report No. A-2011-0215-IET, \xe2\x80\x9cThe Army\xe2\x80\x99s Use of\nSmart Phones (Project Number A-2011-IET-0400.000),\xe2\x80\x9d September 29, 2011\n\n\n\n\n                                            13\n\x0cArmy Chief Information Officer Comments\n\n\n\n\n                              14\n\x0c                                   UNCLASSIFIED\n\nENCLOSURE: CIO/G-6 Cybersecurity Directorate Second Response to Department of\nDefense Office of Inspector General Draft Report Improvements Needed with Tracking\nand Configuring Army Commercial Mobile Devices (Project No. D2012-DOOOLC-\n0147.000)\n\nObjective: To determine whether the Department of the Army had an effective\ncybersecurity program that identified and mitigated risks surrounding commercial mobile\ndevices (CMDs) and removable media. Specifically, at the sites visited, we verified\nwhether Army officials appropriately tracked, configured, and sanitized CMDs.\nAdditionally, we determined whether the Army used authorized removable media on its\nnetwork.\n\nFinding: The Army Chief Information Officer (CIO) did not implement an effective\nCybersecurity program for CMDs. Specifically, the Army CIO did not appropriately track\nCMDs and was unaware of more than 14,000 CMDs used throughout the Army.\n\nRecommendation 1\n\nThe Chief Information Officer, Department of the Army, develop clear and\ncomprehensive policy to include requirements for reporting and tracking all commercial\nmobile devices (CMD) purchased under pilot and non-pilot programs.\n\nChief Information Officer/G-6 Response:\n\nConcur that the Army develop clear and comprehensive policy to include requirements\nfor pilot approval of CMDs.\n\nCurrently the Army has numerous approved mobile pilots and is also a participant in the\nDoD/DISA Mobile pilot. The Army CIO, LTG Lawrence signed the memorandum titled\n"U.S. Army Guidance on Piloting of Commercial Mobile Devices, dated Nov 3, 2011.\nThis memorandum directs Army organizations to register each mobile pilot. The Army\nCybersecurity Directorate maintains a SharePoint Portal where an Army organization\nmust register a mobile pilot and provide project artifacts. An Army Senior Leader, who\nhas the authority to accept risk and to make decision for the designated organization,\nprovides the artifacts in the form of a declaration or through an on line survey. The\nregistration process ensures that sensitive information (FOUO) and Personal Identifiable\nInformation (PII) is not allowed and the platform cannot connect to the Army email\nsystem. On 3 April 2012 the Secretary of the Army signed a memorandum titled "Mobile\nComputing Devices" and stated no unauthorized CMDs will be connected to the NIPRnet\nor used to conduct official business.\n\nThis guidance and direction was communicated to all the Army Information Assurance\nProgram Managers (IAPMs) across the Army as well as during the Mobile Electronic\nWorking Groups. In summary, no CMDs are currently allowed for Army use outside of\nauthorized pilots and policy and guidance has been promulgated.\n\nA Headquarters Department of Army (HQDA) staff element that approves an Army pilot\nwould not maintain property accountability for any equipment that is purchased to\nsupport that pilot. The organization that purchases the equipment is responsible for\nmaintaining accountability JAW Army property accountability regulations and procedures.\n\n\n\n                                   UNCLASSIFIED\n\n\n\n\n                                                   15\n\x0c                                   UNCLASSIFIED\n\nENCLOSURE: CIO/G-6 Cybersecurity Directorate Second Response to Department of\nDefense Office of Inspector General Draft Report Improvements Needed with Tracking\nand Configuring Army Commercial Mobile Devices (Project No. 02012-DOOOLC-\n0147.000)\n\nIt is also important to note that the number of devices that an organization purchases to\nsupport a pilot is not important. What is important is that the devices are used lAW the\npolicy and guidelines that were approved for the pilot.\n\nRecommendation 2\n\n\nThe Chief Information Officer, Department of the Army, should designate commercial\nmobile devices as information systems and extend existing information assurance\nrequirements to the use of commercial mobile devices.\n\nChief .Information Officer/G\xc2\xb76 Response:\n\n\nConcur that the Army should extend existing information assurance requirements to the\nuse of commercial mobile devices, but the Army will not establish CMDs as a\nseparate/stand alone system. A CMD is an extension of the existing Information System\nand does not require a separate designation; it provides an interface to an existing\nsystem or environment and will fall under the Control of the Host system. In order to\nfurther support the position of not considering a CMD an information system, the Army,\nalong \xc2\xb7with DoD and DISA, are working to establish the ability to manage Mobile Devices.\nMobile devices will be managed utilizing a Mobile Device Management (MDM) system in\nconcert with a Mobile Application Store (MAS). End state will be the DoD Enterprise\nability to observe every managed Mobile device, as well as every application operating\non a DoD-managed Commercial Mobile Device. This action is in development,\nprojected to be in place by the end FY14. This capability is addressed in the DoD\nmemorandum that the DoD CIO signed titled "DoD Commercial Mobile Implementation\nPlan" dated February 2013.\n\nRecommendation 3\n\n\nThe Chief Information Officer, Department of the Army, develop a process to verify that\nusers of commercial mobile devices are following Army and DoD information assurance\npolicies and implementing the appropriate security controls to protect commercial mobile\ndevices.\n\nChief Information Officer/G-6 Response:\n\n\nConcur that the Army leverage a process to verify that users of CMDs follow Army and\nDoD information assurance policies and implement the appropriate security controls to\nprotect CMDs.\n\nThe Army has already transitioned over 1 million users to the DoD/DISA email enterprise\nunclassified email system. DISA has become the Army\'s service provider. As DISA\nestablishes the MOM and MAS architecture, Army mobile devices will become managed\nmobile devices. The governance and oversight will be established as a DISA service.\nThis capability will include visibility, oversight of proper configuration, and management\n\n\n\n                                    UNCLASSIFIED\n\n                                            2\n\n\n\n\n                                                           16\n\x0c                                    UNCLASSIFIED\n\nENCLOSURE: CIO/G-6 Cybersecurity Directorate Second Response to Department of\nDefense Office of Inspector General Draft Report Improvements Needed with Tracking\nand Configuring Army Commercial Mobile Devices (Project No. 02012-DOOOLC-\n0147.000)\n\nof all devices. Additionally, the capability to wipe or remove a device from the\nenvironment and the ability to monitor usage of a mobile device with respect to\napplications utilized, web sites visited, and data viewed, saved or modified will also be\navailable. The policy is in place to require the Army to utilize the MDM and MAS. This\naction is in development and planned to be in place by the end of FY14. The Request\n for Proposal (RFP) for the MOM and MAS has closed and the determination of the\n award is projected for April2013. The build out and implementation of the awarded\n\xc2\xb7solution is projected to achieve Initial Operating Capability (lOG) by October 2013 with\n Full Operating Capability (FOG) to follow before the end of FY14.\n\nDoD has issued over 30 policies memos, Security Requirements Guides (SRG), and\nSecurity Technical Implementation Guides (STIG) that apply to mobile technology.\nDetailed information on DoD mobile security policies can be found at\nhttp://iase.disa.mil/stigs/a-z.html. As a component of DoD, the Army is required to\ncomply with these regulations. The DoD Instruction 8100.04 "DoD Unified Capabilities",\ndated 9 DEC 2010, states that all devices that provide unified communications (including\nCMDs) must have appropriate technical and security documents in place. The\ninstruction specifically requires the use SAGs and STIGs to prescribe the requirements\nand implementation details for the testing, certification, acquisition, and operation of\ndevices that provide unified communications. lA testing shall be conducted pursuant to\nthese guidelines prior to operation of products. Subsequently, DISA produced the\nMobile Device Management (MOM) SRG, the Wireless Smartphone SAG, the Mobile\nOS SRG, as well as STIGs for Apple iOS, Android OS, and Blackberry OS. Seeing that\nthe Army utilizes DISA as the enterprise solution provider for CMDs, we are compelled\nto comply with the MOM SRG, Mobile OS SRG/STIGs, and all future policies related to\nmobile technology.\n\n\n\n\n                                     UNCLASSIFIED\n\n                                             3\n\n\n\n\n                                                            17\n\x0c\x0c'